Peut-on encore considérer que les US assurent un niveau de protection adéquate ?

Le European Data Protection Supervisor (EDPS) vient de rendre ses conclusions et recommandations sur l’utilisation des produits et services Microsoft par les institutions de l’UE et s’inquiète notamment de la localisation des données, des transferts internationaux et du risque de fuite de données.

 

“EU institutions needed to put in place a comprehensive and compliant controller-processor agreement and documented instructions of the EU institutions to the processors. Their lack of control over which sub-processors Microsoft used and lack of meaningful audit rights also presented significant issues (…) EU institutions faced a number of linked issues concerning data location, international transfers and the risk of unlawful disclosure of data. They were unable to control the location of a large portion of the data processed by Microsoft. Nor did they properly control what was transferred out of the EU/EEA and how. There was also a lack of proper safeguards to protect data that left the EU/EEA. EU institutions also had few guarantees at their disposal to defend their privileges and immunities and ensure that Microsoft would only disclose personal data insofar as permitted by EU law (…) The EU institutions had insufficient clarity as to the nature, scope and purposes of the processing and the risks to data subjects to be able to meet their transparency obligations towards data subjects

 

Rappelons que par l’artifice du Privacy Shield qui est venu palier à la non conformité des US au Safe Harbour suite notamment à l’affaire Snowden ayant révélé que les US ont illégalement espionné leurs citoyens et ceux du monde entier, y compris leurs dirigeants, avec la complicité des GAFAM (cf. Prism), les US ne sont considérés que comme un pays en adéquation partielle avec le niveau de protection de données éxigé au sein de l’UE.

 

Peut-on encore considérer que les US assurent un niveau de protection adéquate ?

 

Télécharger (PDF, 323KB)